https://pulumi.com logo
#getting-started
Title
# getting-started
f

fresh-musician-40418

08/22/2022, 12:57 PM
Hello team, Our team just started to use Pulumi Service and we have an organization. Is there a way to generate access token on behalf of that organization? I can only generate my individual personal access token. If there is a way, do I need to be an admin of that organization?
s

stocky-restaurant-98004

08/22/2022, 12:59 PM
You do need to be an admin to create an org token, per: https://www.pulumi.com/docs/intro/pulumi-service/organization-access-tokens/
f

fresh-musician-40418

08/22/2022, 1:07 PM
Thank you for confirming @stocky-restaurant-98004 🙏
youre welcome 1
c

crooked-notebook-49997

08/22/2022, 4:02 PM
Docs say "Organization tokens are available on trials, and Enterprise and Business Critical subscriptions." We are on a trial but will eventually be on Team pricing, not Enterprise or Business Critical at this time.
Best practice, regardless of Org size would seem to be to have Org Tokens, but if that is a restriction to only enterprise teams, that would seem to force us to use a workaround like a shared account, but is not great security. Or is there an alternative or something we're missing?
l

little-cartoon-10569

08/22/2022, 10:56 PM
You can use a non-shared CI account.
c

crooked-notebook-49997

08/23/2022, 6:09 PM
@stocky-restaurant-98004 Can you confirm Org Tokens are not available on Team accounts after the trial ends?
@little-cartoon-10569 Could you elaborate? We do have the Pulumi app installed and configured in GitHub.
s

stocky-restaurant-98004

08/23/2022, 8:15 PM
@crooked-notebook-49997 That's correct - they will no longer be available once the trial ends.
c

crooked-notebook-49997

08/23/2022, 8:16 PM
So what would be the recommendation in that case for configuring access without personal tokens?
l

little-cartoon-10569

08/23/2022, 8:35 PM
@crooked-notebook-49997 I think it's what you meant when you said "a workaround like a shared account". Just, don't share it. There's no need for anyone to use it once it's created and set up in CI. The creds remain in a vault and no one ever logs in as it.
c

crooked-notebook-49997

08/23/2022, 8:37 PM
So we have such an account we use for CD in other scenarios, I say its a shared account but in reality we do not share the creds and we do not want to. So while I have access, @fresh-musician-40418 does not, and he is setting up Pulumi.
l

little-cartoon-10569

08/23/2022, 8:39 PM
Is this your current problem? • Limited number of accounts (3, iirc). • 1 needs to be admin (you). • 1 needs to be CI. • You have 15 other infra devs. We have this with one project. It is the ultimate push towards gitops! 🙂
c

crooked-notebook-49997

08/23/2022, 8:40 PM
Yup, I think so, more of less.
l

little-cartoon-10569

08/23/2022, 8:40 PM
Our solution was a for dev envs to use local / private state, and only CI to use the Pulumi service. It's not awesome, but it forces excellent practices with things like project and stack naming. And in our case, the problem went away just after we got everything working acceptably, because the company saw how useful Pulumi was and upgraded us.
c

crooked-notebook-49997

08/23/2022, 8:41 PM
• 1 Me (Admin in GH and Pulumi) • 1 CI (Admin in GH and Pulumi) • 4-5 Devs
3 shared environments and corresponding branches: Dev, Stage, Prod. Plus, each developer has their own environment (AWS) (and branch). Desire is to manage/store Pulumi State Files in Pulumi (vs. local or S3).
l

little-cartoon-10569

08/23/2022, 8:49 PM
CI doesn't need to be admin...
The only way to achieve that on the lower-tier plans and prevent shared credentials is to not give devs direct access to Pulumi and require everything to do done via GH. Dev envs can be managed just like stage / prod etc. Only the CI user does any real deployments.
c

crooked-notebook-49997

08/23/2022, 9:03 PM
Alright. All good advice and help. We'll continue and see where we end up. Thanks!
3 Views